diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in
index d1bcf64a..20189d24 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -1310,7 +1310,7 @@ interface(`corenet_non_ipsec_sendrecv',`
########################################
##
-## Send generic packets.
+## Send generic client packets.
##
##
##
@@ -1318,17 +1318,17 @@ interface(`corenet_non_ipsec_sendrecv',`
##
##
#
-interface(`corenet_send_generic_packets',`
+interface(`corenet_send_generic_client_packets',`
gen_require(`
- type packet_t;
+ type client_packet_t;
')
- allow $1 packet_t:packet send;
+ allow $1 client_packet_t:packet send;
')
########################################
##
-## Receive generic packets.
+## Receive generic client packets.
##
##
##
@@ -1336,17 +1336,17 @@ interface(`corenet_send_generic_packets',`
##
##
#
-interface(`corenet_receive_generic_packets',`
+interface(`corenet_receive_generic_client_packets',`
gen_require(`
- type packet_t;
+ type client_packet_t;
')
- allow $1 packet_t:packet recv;
+ allow $1 client_packet_t:packet recv;
')
########################################
##
-## Send and receive generic packets.
+## Send and receive generic client packets.
##
##
##
@@ -1354,14 +1354,14 @@ interface(`corenet_receive_generic_packets',`
##
##
#
-interface(`corenet_sendrecv_generic_packets',`
- corenet_send_generic_packets($1)
- corenet_receive_generic_packets($1)
+interface(`corenet_sendrecv_generic_client_packets',`
+ corenet_send_generic_client_packets($1)
+ corenet_receive_generic_client_packets($1)
')
########################################
##
-## Relabel packets to the generic packet type.
+## Relabel packets to the generic client packet type.
##
##
##
@@ -1369,12 +1369,81 @@ interface(`corenet_sendrecv_generic_packets',`
##
##
#
-interface(`corenet_relabelto_generic_packets',`
+interface(`corenet_relabelto_generic_client_packets',`
gen_require(`
- type packet_t;
+ type client_packet_t;
')
- allow $1 packet_t:packet relabelto;
+ allow $1 client_packet_t:packet relabelto;
+')
+
+########################################
+##
+## Send generic server packets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`corenet_send_generic_server_packets',`
+ gen_require(`
+ type server_packet_t;
+ ')
+
+ allow $1 server_packet_t:packet send;
+')
+
+########################################
+##
+## Receive generic server packets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`corenet_receive_generic_server_packets',`
+ gen_require(`
+ type server_packet_t;
+ ')
+
+ allow $1 server_packet_t:packet recv;
+')
+
+########################################
+##
+## Send and receive generic server packets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`corenet_sendrecv_generic_server_packets',`
+ corenet_send_generic_server_packets($1)
+ corenet_receive_generic_server_packets($1)
+')
+
+########################################
+##
+## Relabel packets to the generic server packet type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`corenet_relabelto_generic_server_packets',`
+ gen_require(`
+ type server_packet_t;
+ ')
+
+ allow $1 server_packet_t:packet relabelto;
')
########################################
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in
index abb1370a..5c36eb36 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.te.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork,1.1.10)
+policy_module(corenetwork,1.1.11)
########################################
#
@@ -32,9 +32,9 @@ dev_node(tun_tap_device_t)
#
#
-# packet_t is the default type of IPv4 and IPv6 packets.
+# client_packet_t is the default type of IPv4 and IPv6 client packets.
#
-type packet_t, packet_type;
+type client_packet_t, packet_type, client_packet_type;
#
# port_t is the default type of INET port numbers.
@@ -47,6 +47,11 @@ sid port gen_context(system_u:object_r:port_t,s0)
#
type reserved_port_t, port_type, reserved_port_type;
+#
+# server_packet_t is the default type of IPv4 and IPv6 server packets.
+#
+type server_packet_t, packet_type, server_packet_type;
+
network_port(afs_bos, udp,7007,s0)
network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
network_port(afs_ka, udp,7004,s0)
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index 7a8b5539..3e9fc748 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
-policy_module(kernel,1.3.9)
+policy_module(kernel,1.3.10)
########################################
#
@@ -288,7 +288,7 @@ optional_policy(`
corenet_udp_sendrecv_all_ports(kernel_t)
corenet_udp_bind_all_nodes(kernel_t)
corenet_sendrecv_portmap_client_packets(kernel_t)
- corenet_sendrecv_generic_packets(kernel_t)
+ corenet_sendrecv_generic_server_packets(kernel_t)
auth_dontaudit_getattr_shadow(kernel_t)
diff --git a/refpolicy/policy/modules/services/rpc.if b/refpolicy/policy/modules/services/rpc.if
index 93e340db..912f8fff 100644
--- a/refpolicy/policy/modules/services/rpc.if
+++ b/refpolicy/policy/modules/services/rpc.if
@@ -72,7 +72,7 @@ template(`rpc_domain_template', `
corenet_tcp_bind_generic_port($1_t)
corenet_udp_bind_generic_port($1_t)
corenet_udp_bind_reserved_port($1_t)
- corenet_sendrecv_generic_packets($1_t)
+ corenet_sendrecv_generic_server_packets($1_t)
fs_search_auto_mountpoints($1_t)
diff --git a/refpolicy/policy/modules/services/rpc.te b/refpolicy/policy/modules/services/rpc.te
index 7857d274..1305e089 100644
--- a/refpolicy/policy/modules/services/rpc.te
+++ b/refpolicy/policy/modules/services/rpc.te
@@ -1,5 +1,5 @@
-policy_module(rpc,1.2.6)
+policy_module(rpc,1.2.7)
########################################
#
diff --git a/refpolicy/policy/modules/system/hotplug.te b/refpolicy/policy/modules/system/hotplug.te
index e1598889..14bad2df 100644
--- a/refpolicy/policy/modules/system/hotplug.te
+++ b/refpolicy/policy/modules/system/hotplug.te
@@ -1,5 +1,5 @@
-policy_module(hotplug,1.2.0)
+policy_module(hotplug,1.2.1)
########################################
#
@@ -52,17 +52,13 @@ kernel_read_net_sysctls(hotplug_t)
files_read_kernel_modules(hotplug_t)
+corenet_non_ipsec_sendrecv(hotplug_t)
corenet_tcp_sendrecv_all_if(hotplug_t)
corenet_udp_sendrecv_all_if(hotplug_t)
-corenet_raw_sendrecv_all_if(hotplug_t)
corenet_tcp_sendrecv_all_nodes(hotplug_t)
corenet_udp_sendrecv_all_nodes(hotplug_t)
-corenet_raw_sendrecv_all_nodes(hotplug_t)
corenet_tcp_sendrecv_all_ports(hotplug_t)
corenet_udp_sendrecv_all_ports(hotplug_t)
-corenet_non_ipsec_sendrecv(hotplug_t)
-corenet_tcp_bind_all_nodes(hotplug_t)
-corenet_udp_bind_all_nodes(hotplug_t)
dev_rw_sysfs(hotplug_t)
dev_read_usbfs(hotplug_t)
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index d3538454..0c39a20f 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.3.15)
+policy_module(init,1.3.16)
gen_require(`
class passwd rootok;
@@ -249,18 +249,15 @@ kernel_dontaudit_getattr_message_if(initrc_t)
files_read_kernel_symbol_table(initrc_t)
+corenet_non_ipsec_sendrecv(initrc_t)
corenet_tcp_sendrecv_all_if(initrc_t)
-corenet_raw_sendrecv_all_if(initrc_t)
corenet_udp_sendrecv_all_if(initrc_t)
corenet_tcp_sendrecv_all_nodes(initrc_t)
-corenet_raw_sendrecv_all_nodes(initrc_t)
corenet_udp_sendrecv_all_nodes(initrc_t)
corenet_tcp_sendrecv_all_ports(initrc_t)
corenet_udp_sendrecv_all_ports(initrc_t)
-corenet_non_ipsec_sendrecv(initrc_t)
-corenet_tcp_bind_all_nodes(initrc_t)
-corenet_udp_bind_all_nodes(initrc_t)
corenet_tcp_connect_all_ports(initrc_t)
+corenet_sendrecv_all_client_packets(initrc_t)
dev_read_rand(initrc_t)
dev_read_urand(initrc_t)
diff --git a/refpolicy/policy/modules/system/ipsec.te b/refpolicy/policy/modules/system/ipsec.te
index bf5a5df0..930c8dcb 100644
--- a/refpolicy/policy/modules/system/ipsec.te
+++ b/refpolicy/policy/modules/system/ipsec.te
@@ -1,5 +1,5 @@
-policy_module(ipsec,1.1.0)
+policy_module(ipsec,1.1.1)
########################################
#
@@ -83,15 +83,17 @@ kernel_getattr_core_if(ipsec_t)
kernel_getattr_message_if(ipsec_t)
# Pluto needs network access
+corenet_non_ipsec_sendrecv(ipsec_t)
corenet_tcp_sendrecv_all_if(ipsec_t)
corenet_raw_sendrecv_all_if(ipsec_t)
corenet_tcp_sendrecv_all_nodes(ipsec_t)
corenet_raw_sendrecv_all_nodes(ipsec_t)
corenet_tcp_sendrecv_all_ports(ipsec_t)
-corenet_non_ipsec_sendrecv(ipsec_t)
corenet_tcp_bind_all_nodes(ipsec_t)
-corenet_udp_bind_reserved_port(ipsec_t)
-corenet_udp_bind_isakmp_port(ipsec_t)
+corenet_tcp_bind_reserved_port(ipsec_t)
+corenet_tcp_bind_isakmp_port(ipsec_t)
+corenet_sendrecv_generic_server_packets(ipsec_t)
+corenet_sendrecv_isakmp_server_packets(ipsec_t)
dev_read_sysfs(ipsec_t)
dev_read_rand(ipsec_t)
diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te
index 1d4060d4..bfb051c3 100644
--- a/refpolicy/policy/modules/system/logging.te
+++ b/refpolicy/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
-policy_module(logging,1.3.4)
+policy_module(logging,1.3.5)
########################################
#
@@ -260,7 +260,7 @@ allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
allow syslogd_t self:unix_dgram_socket sendto;
allow syslogd_t self:fifo_file rw_file_perms;
-allow syslogd_t self:udp_socket { connected_socket_perms connect };
+allow syslogd_t self:udp_socket create_socket_perms;
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file create_file_perms;
@@ -306,15 +306,15 @@ init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
term_write_all_user_ttys(syslogd_t)
-corenet_raw_sendrecv_all_if(syslogd_t)
+corenet_non_ipsec_sendrecv(syslogd_t)
corenet_udp_sendrecv_all_if(syslogd_t)
-corenet_raw_sendrecv_all_nodes(syslogd_t)
corenet_udp_sendrecv_all_nodes(syslogd_t)
corenet_udp_sendrecv_all_ports(syslogd_t)
-corenet_non_ipsec_sendrecv(syslogd_t)
corenet_udp_bind_all_nodes(syslogd_t)
-corenet_tcp_bind_syslogd_port(syslogd_t)
corenet_udp_bind_syslogd_port(syslogd_t)
+# syslog-ng can send or receive logs
+corenet_sendrecv_syslogd_client_packets(syslogd_t)
+corenet_sendrecv_syslogd_server_packets(syslogd_t)
fs_getattr_all_fs(syslogd_t)
diff --git a/refpolicy/policy/modules/system/lvm.te b/refpolicy/policy/modules/system/lvm.te
index 18b8a366..b4d3753b 100644
--- a/refpolicy/policy/modules/system/lvm.te
+++ b/refpolicy/policy/modules/system/lvm.te
@@ -1,5 +1,5 @@
-policy_module(lvm,1.3.2)
+policy_module(lvm,1.3.3)
########################################
#
@@ -61,6 +61,7 @@ kernel_read_kernel_sysctls(clvmd_t)
kernel_list_proc(clvmd_t)
kernel_read_proc_symlinks(clvmd_t)
+corenet_non_ipsec_sendrecv(clvmd_t)
corenet_tcp_sendrecv_all_if(clvmd_t)
corenet_udp_sendrecv_all_if(clvmd_t)
corenet_raw_sendrecv_all_if(clvmd_t)
@@ -69,11 +70,10 @@ corenet_udp_sendrecv_all_nodes(clvmd_t)
corenet_raw_sendrecv_all_nodes(clvmd_t)
corenet_tcp_sendrecv_all_ports(clvmd_t)
corenet_udp_sendrecv_all_ports(clvmd_t)
-corenet_non_ipsec_sendrecv(clvmd_t)
corenet_tcp_bind_all_nodes(clvmd_t)
-corenet_udp_bind_all_nodes(clvmd_t)
corenet_tcp_bind_reserved_port(clvmd_t)
corenet_dontaudit_tcp_bind_all_reserved_ports(clvmd_t)
+corenet_sendrecv_generic_server_packets(clvmd_t)
dev_read_sysfs(clvmd_t)
diff --git a/refpolicy/policy/modules/system/mount.te b/refpolicy/policy/modules/system/mount.te
index e430ceb1..9caa6f82 100644
--- a/refpolicy/policy/modules/system/mount.te
+++ b/refpolicy/policy/modules/system/mount.te
@@ -1,5 +1,5 @@
-policy_module(mount,1.3.5)
+policy_module(mount,1.3.6)
########################################
#
@@ -35,9 +35,6 @@ files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
kernel_read_system_state(mount_t)
kernel_dontaudit_getattr_core_if(mount_t)
-corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
-corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
-
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
dev_rw_lvm_control(mount_t)
@@ -136,6 +133,8 @@ optional_policy(`
corenet_udp_bind_reserved_port(mount_t)
corenet_tcp_bind_all_rpc_ports(mount_t)
corenet_udp_bind_all_rpc_ports(mount_t)
+ corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
+ corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
corenet_tcp_connect_all_ports(mount_t)
fs_search_rpc(mount_t)
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 14006cb1..985a0eea 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -176,7 +176,6 @@ template(`base_user_template',`
corenet_udp_bind_all_nodes($1_t)
corenet_udp_bind_generic_port($1_t)
corenet_tcp_connect_all_ports($1_t)
- corenet_sendrecv_generic_packets($1_t)
corenet_sendrecv_all_client_packets($1_t)
dev_read_input($1_t)
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index db31c674..99be68cf 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,1.3.25)
+policy_module(userdomain,1.3.26)
gen_require(`
role sysadm_r, staff_r, user_r;
diff --git a/refpolicy/policy/modules/system/xen.te b/refpolicy/policy/modules/system/xen.te
index f8e183cd..c841a998 100644
--- a/refpolicy/policy/modules/system/xen.te
+++ b/refpolicy/policy/modules/system/xen.te
@@ -1,5 +1,5 @@
-policy_module(xen,1.0.4)
+policy_module(xen,1.0.5)
########################################
#
@@ -113,12 +113,14 @@ corecmd_exec_sbin(xend_t)
corecmd_exec_bin(xend_t)
corecmd_exec_shell(xend_t)
+corenet_non_ipsec_sendrecv(xend_t)
corenet_tcp_sendrecv_all_if(xend_t)
corenet_tcp_sendrecv_all_nodes(xend_t)
corenet_tcp_sendrecv_all_ports(xend_t)
-corenet_non_ipsec_sendrecv(xend_t)
corenet_tcp_bind_xen_port(xend_t)
corenet_tcp_bind_soundd_port(xend_t)
+corenet_sendrecv_xen_server_packets(xend_t)
+corenet_sendrecv_soundd_server_packets(xend_t)
dev_read_urand(xend_t)
dev_manage_xen(xend_t)
diff --git a/refpolicy/support/gennetfilter.py b/refpolicy/support/gennetfilter.py
index 69b8551a..1821b62d 100644
--- a/refpolicy/support/gennetfilter.py
+++ b/refpolicy/support/gennetfilter.py
@@ -11,7 +11,8 @@ import sys,string,getopt,re
NETPORT = re.compile("^network_port\(\s*\w+\s*(\s*,\s*\w+\s*,\s*\w+\s*,\s*\w+\s*)+\s*\)\s*(#|$)")
-DEFAULT_PACKET = "packet_t"
+DEFAULT_INPUT_PACKET = "server_packet_t"
+DEFAULT_OUTPUT_PACKET = "client_packet_t"
DEFAULT_MCS = "s0"
DEFAULT_MLS = "s0"
@@ -42,7 +43,7 @@ class Packet:
self.ports = ports
def print_input_rules(packets,mls,mcs):
- line = "-A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_PACKET
+ line = "-A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_INPUT_PACKET
if mls:
line += ":"+DEFAULT_MLS
elif mcs:
@@ -63,7 +64,7 @@ def print_input_rules(packets,mls,mcs):
print "-A selinux_new_input -j RETURN"
def print_output_rules(packets,mls,mcs):
- line = "-A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_PACKET
+ line = "-A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_OUTPUT_PACKET
if mls:
line += ":"+DEFAULT_MLS
elif mcs: